Adoptable Cookbooks List

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

sudo cookbook

The default recipe configures the /etc/sudoers file. The cookbook also includes a sudo resource to adding and removing individual sudo entries.

Requirements

Platforms

Debian/Ubuntu

RHEL/CentOS/Scientific/Amazon/Oracle

Amazon Linux

FreeBSD

macOS

openSUSE / SUSE Enterprise

Chef

Chef 12.21.3+

Cookbooks

None

Resource

Use the sudo resource to add or remove individual sudo entries using sudoers.d files.

Note Sudo version 1.7.2 or newer is required to use the sudo resource as it relies on the "#includedir" directive introduced in version 1.7.2. The resource does not enforce installing the version. Supported releases of Ubuntu, Debian and RHEL (6+) all support this feature.

Actions

:create - Create a sudoers config

:delete - Delete a sudoers config

Properties

Property

Description

Example Value

Default Value

filename

name of the /etc/sudoers.d file

restart-tomcat

resource's name

commands

array of commands this sudoer can execute

['/etc/init.d/tomcat restart']

['ALL']

groups

group(s) to provide sudo privileges to. This accepts either an array or a comma separated list. Leading % on group names is optional. This property was named 'group' prior to the 5.1 cookbook release.

%admin,superadmin

[]

nopasswd

allow running sudo without specifying a password sudo

true

false

noexec

prevents commands from shelling out

true

false

runas

User the command(s) can be run as

root

ALL

template

the erb template to render instead of the default

restart-tomcat.erb

users

user(s) to provide sudo privileges to. This accepts either an array or a comma separated. This property was named 'user' prior to the 5.1 cookbook release. list.

[tomcat, webapp]

[]

defaults

array of defaults this user has

['!requiretty','env_reset']

setenv

whether to permit the preserving of environment with sudo -E

true

false

env_keep_add

array of strings to add to env_keep

['HOME', 'MY_ENV_VAR MY_OTHER_ENV_VAR']

env_keep_subtract

array of strings to remove from env_keep

['DISPLAY', 'MY_SECURE_ENV_VAR']

variables

the variables to pass to the custom template. Ignored if not using a custom template.

commands: ['/etc/init.d/tomcat restart']

If you use the template property, all other properties will be ignored except for the variables property.

Examples

user bob sudo privileges for any command

sudo 'bob' do
user 'bob'
end

group sysadmin passwordless sudo privileges for any command

sudo "sysadmin" do
group "sysadmin"
nopasswd true
end

group sysadmin/superadmin and user bob passwordless sudo privileges for any command

Built-In vs. Provided Templates

The resource provides two methods for templating the sudoers config files:

Using the built-in template

Using a custom, cookbook-level template

Both methods will create the /etc/sudoers.d/#{resourcename} files with the correct permissions.

The resource also performs fragment validation. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).

Maintainers

This cookbook is maintained by Chef's Community Cookbook Engineering team. Our goal is to improve cookbook quality and to aid the community in contributing to cookbooks. To learn more about our team, process, and design goals see our team documentation. To learn more about contributing to cookbooks like this see our contributing documentation, or if you have general questions about this cookbook come chat with us in #cookbok-engineering on the Chef Community Slack

License

Copyright: 2008-2018, Chef Software, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

sudo Cookbook CHANGELOG

This file is used to list changes made in each version of the sudo cookbook.

5.3.1 (2018-03-13)

Use visudo_path property to override the path to visudo

Handle poorly deliminated strings in the users property

Add backwards compatibility for the :delete action

5.3.0 (2018-03-13)

Use the includedir directive on Solaris and macOS in addition to Linux. All three of these platforms support it out of the box on non-EOL releases

Fail with a useful message in the resource when on FreeBSD since FreeBSD doesn't support sudoers.d`

Skip / warn if visudo isn't present where we expect it to be instead of failing hard

Fully support macOS in the resource and recipe

5.2.0 (2018-03-13)

Refactored the resource to use Chef's built in template verification functionality. This avoids a lot of custom work we did in the resource to verify the config file before we wrote it out. Not only does this reduce code complexity/fragility in this cookbook, it removes the double template resource you'd see in converges before.

5.1.0 (2018-03-13)

Rework the readme to with additional documentation on the resource

Fix a compilation failure if the user was specifying their own template

Improve the conditions in which the property validation fails

Renamed the group property to groups with backwards compatibility

Renamed the user property to users with backwards compatibility

Change the type of users/groups to Arrays so you can either specify comma separated lists or arrays of users/groups

Improve the splitting of the list of users/groups to handle spaces before/after the commas

Properly add % to each group name in arrays as well as comma separated lists. Also support the scenario where one group has a % and the other does not

Support setting up sudo for both users and groups in the same config. We now combine the users and groups as you would expect

5.0.0 (2018-03-11)

Converted the LWRP to a custom resource

Changed the package install logic to only try to install sudo when we're on a docker guest where sudo is generally missing. This uses the docker? helper which requires 12.21.3, which is the new minimum Chef version supported by this cookbook

The property validation logic previously in the resource is now actually run. This prevents combinations of resources that will not work together from being used.

Reordered the readme to list the resource first as this is the preferred way to use this resource

Removed the node['authorization']['sudo']['prefix'] attribute. In the recipe this is automatically determined. In the resource there is a new config_prefix property. This should have no impact on users as the proper settings for each OS are still specified.

Added a new filename name_property is you want to specify the filename as something different than the resource's name. This helps avoid resource cloning issues.

The :install action has been renamed to :create, while retaining backwards compatibility with the old name

Resolved FC085 Foodcritic warning

4.0.1 (2018-02-16)

FIX: in templates the attribute "passwordless" and other with data type String always will be return true

Add an attribute for setting sudoers.d mode

Removed the ChefSpec matchers. These are now autogenerated by ChefSpec. If you are seeing matcher failure upgrade to ChefDK 2.4 or later.

4.0.0 (2017-11-28)

Breaking Changes

sudo .d functionality is now enabled by default on Linux systems. This allows the sudo resource to function with setting node['authorization']['sudo']['include_sudoers_d'] to true. Only some older / EoL distros this will break sudo functionality so make sure you test this and set it to false if you're running an EoL distro

The sysadmin group is no longer added to sudoers by default anymore. Historically many community cookbooks assumed all admins were in this sysadmins group. We've moved away from that assumption since it was a suprise to many when this group was added. If you rely on this behavior make sure to node['authorization']['sudo']['groups'] attribute to inlude the sysadmin group.

Other Changes

Remove the debian-isms from the sudo.d readme file which is copied onto multiple Linux systems

3.5.2 (2017-06-26)

3.5.1 (2017-06-21)

Remove sysadmin from default groups as sysadmin is no longer a group we push via the users cookbook.

3.5.0 (2017-05-16)

Add sudo package management to resource

3.4.0 (2017-04-26)

Add lwrp support for only env_keep add/subtract

Readme improvements

Move the files out of the default directory since Chef >= 12 doesn't require this

Test with Local Delivery instead of Rake

Cookstyle fixes

Update apache2 license string

3.3.1 (2017-01-17)

fixed command_aliases in README

3.3.0 (2017-01-04)

Add attributes for env_keep_add and env_keep_subtract for the base sudoers file

Sanitize file names in the :remove action so we remove the proper files

3.2.0 (2016-12-27)

Convert ~ to __ like we do for i (sudoers.d files)

3.1.0 (2016-10-24)

add attribute custom_commands for user and group

3.0.0 (2016-09-08)

Testing updates

Require Chef 12.1+

2.11.0 (2016-08-09)

Add support for NOEXEC flag

v2.10.0 (2016-08-04)

Added a warning to the LWRP if include_sudoers_d is set to false

Enabled use_inline_resources in the LWRP

Added IBM zlinux as a supported platform

Added suse, opensuse, and opensuseleap to the metadata as they are now tested platforms

Added chef_version metadata to metadata.rb

Removed attributes from the metadata.rb as this serves little purpose

Converted bats integration tests to inspec

Switched from rubocop to cookstyle for Ruby linting

Removed the need for the apt cookbook in the test suite by using the apt_update resource instead

Switched from kitchen-docker to kitchen-dokken and enabled Debian/Opensuse platforms in Travis

v2.9.0 (2016-02-07)

Updated the provider to avoid writing out config files with periods in the filename when a user has a period in their name as these are skipped by the sudo package. A sudo config for invalid.user will write out a config named invalid_user now.

v2.8.0 (2016-02-04)

Added a new attribute to the recipe and provider for adding SETENV to sudoer config

Updated development deps to the latest version

Setup test kitchen to run in Travis with kitchen-docker

Expanded the kitchen.yml config to include additional platforms

Renamed the test recipe from fake to test

Updated the testing and contributing docs to the latest

Added maintainers.toml and maitainers.md

Added a chefignore file to limit which files get uploaded to the chef server

Added long_description to the metadata.rb

Added source_url and issues_url for Supermarket to the metadata.rb

Resolved all Rubocop warnings

Updated the Chefspec to the 4.x format

Removed kitchen cloud testing configs and gem deps

Removed the Guardfile and the gem deps

v2.7.2 (2015-07-10)

Adding support for keep_env

misc cleanup

v2.7.1 (2014-09-18)

[#53] - removed double space from sudoer.erb template

v2.7.0 (2014-08-08)

[#44] Add basic ChefSpec matchers

v2.6.0 (2014-05-15)

[COOK-4612] Add support for the command alias (Cmnd_Alias) directive

[COOK-4637] - handle duplicate resources in LWRP

v2.5.2 (2014-02-27)

Bumping version for toolchain sanity

v2.5.0 (2014-02-27)

Bumping to 2.5.0

v2.4.2 (2014-02-27)

[COOK-4350] - Fix issue with "Defaults" line in sudoer.erb

v2.4.0 (2014-02-18)

BREAKING CHANGE: The sysadmin group has been removed from the template. You will lose sudo access if:

You have users that depend on the sysadmin group for sudo access, and

You are overriding authorization.sudo.groups, but not including sysadmin in the list of groups